| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 03:23:22 +0200
From: Lech Perczak <lech.perczak@...il.com>
To: netdev@...r.kernel.org, linux-usb@...r.kernel.org
Cc: Bjørn Mork <bjorn@...k.no>,
Kristian Evensen <kristian.evensen@...il.com>,
Oliver Neukum <oliver@...kum.org>
Subject: Re: [PATCH v2 2/3] rndis_host: enable the bogus MAC fixup for ZTE
devices from cdc_ether
W dniu 2022-04-13 o 02:11, Lech Perczak pisze:
> Certain ZTE modems, namely: MF823. MF831, MF910, built-in modem from
> MF286R, expose both CDC-ECM and RNDIS network interfaces.
> They have a trait of ignoring the locally-administered MAC address
> configured on the interface both in CDC-ECM and RNDIS part,
> and this leads to dropping of incoming traffic by the host.
> However, the workaround was only present in CDC-ECM, and MF286R
> explicitly requires it in RNDIS mode.
>
> Re-use the workaround in rndis_host as well, to fix operation of MF286R
> module, some versions of which expose only the RNDIS interface. Do so by
> introducing new flag, RNDIS_DRIVER_DATA_BOGUS_MAC, and testing for it in
And I just noticed that I forgot to rename that flag here, as well as
one unneded whitespace change creeped in. Will resend V3 shortly.
> rndis_rx_fixup. This is required, as RNDIS uses frame batching, and all
> of the packets inside the batch need the fixup. This might introduce a
> performance penalty, because test is done for every returned Ethernet
> frame.
>
> Apply the workaround to both "flavors" of RNDIS interfaces, as older ZTE
> modems, like MF823 found in the wild, report the USB_CLASS_COMM class
> interfaces, while MF286R reports USB_CLASS_WIRELESS_CONTROLLER.
>
> Suggested-by: Bjørn Mork <bjorn@...k.no>
> Cc: Kristian Evensen <kristian.evensen@...il.com>
> Cc: Oliver Neukum <oliver@...kum.org>
> Signed-off-by: Lech Perczak <lech.perczak@...il.com>
> ---
> v2:
> - Ensured that MAC fixup is applied to all Ethernet frames inside an
> RNDIS batch. Thanks to Bjørn for finding the issue.
> - Introduced new driver flag to facilitate the above.
>
> drivers/net/usb/rndis_host.c | 33 ++++++++++++++++++++++++++++++++-
> include/linux/usb/rndis_host.h | 1 +
> 2 files changed, 33 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c
> index 247f58cb0f84..18b27a4ed8bd 100644
> --- a/drivers/net/usb/rndis_host.c
> +++ b/drivers/net/usb/rndis_host.c
> @@ -485,10 +485,14 @@ EXPORT_SYMBOL_GPL(rndis_unbind);
> */
> int rndis_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
> {
> + bool dst_mac_fixup;
> +
> /* This check is no longer done by usbnet */
> if (skb->len < dev->net->hard_header_len)
> return 0;
>
> + dst_mac_fixup = !!(dev->driver_info->data & RNDIS_DRIVER_DATA_DST_MAC_FIXUP);
> +
> /* peripheral may have batched packets to us... */
> while (likely(skb->len)) {
> struct rndis_data_hdr *hdr = (void *)skb->data;
> @@ -523,10 +527,17 @@ int rndis_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
> break;
> skb_pull(skb, msg_len - sizeof *hdr);
> skb_trim(skb2, data_len);
> +
> + if (unlikely(dst_mac_fixup))
> + usbnet_cdc_zte_rx_fixup(dev, skb2);
> +
> usbnet_skb_return(dev, skb2);
> }
>
> /* caller will usbnet_skb_return the remaining packet */
> + if (unlikely(dst_mac_fixup))
> + usbnet_cdc_zte_rx_fixup(dev, skb);
> +
> return 1;
> }
> EXPORT_SYMBOL_GPL(rndis_rx_fixup);
> @@ -578,7 +589,6 @@ rndis_tx_fixup(struct usbnet *dev, struct sk_buff *skb, gfp_t flags)
> }
> EXPORT_SYMBOL_GPL(rndis_tx_fixup);
>
> -
> static const struct driver_info rndis_info = {
> .description = "RNDIS device",
> .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
> @@ -600,6 +610,17 @@ static const struct driver_info rndis_poll_status_info = {
> .tx_fixup = rndis_tx_fixup,
> };
>
> +static const struct driver_info zte_rndis_info = {
> + .description = "ZTE RNDIS device",
> + .flags = FLAG_ETHER | FLAG_POINTTOPOINT | FLAG_FRAMING_RN | FLAG_NO_SETINT,
> + .data = RNDIS_DRIVER_DATA_DST_MAC_FIXUP,
> + .bind = rndis_bind,
> + .unbind = rndis_unbind,
> + .status = rndis_status,
> + .rx_fixup = rndis_rx_fixup,
> + .tx_fixup = rndis_tx_fixup,
> +};
> +
> /*-------------------------------------------------------------------------*/
>
> static const struct usb_device_id products [] = {
> @@ -613,6 +634,16 @@ static const struct usb_device_id products [] = {
> USB_VENDOR_AND_INTERFACE_INFO(0x238b,
> USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
> .driver_info = (unsigned long)&rndis_info,
> +}, {
> + /* ZTE WWAN modules */
> + USB_VENDOR_AND_INTERFACE_INFO(0x19d2,
> + USB_CLASS_WIRELESS_CONTROLLER, 1, 3),
> + .driver_info = (unsigned long)&zte_rndis_info,
> +}, {
> + /* ZTE WWAN modules, ACM flavour */
> + USB_VENDOR_AND_INTERFACE_INFO(0x19d2,
> + USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
> + .driver_info = (unsigned long)&zte_rndis_info,
> }, {
> /* RNDIS is MSFT's un-official variant of CDC ACM */
> USB_INTERFACE_INFO(USB_CLASS_COMM, 2 /* ACM */, 0x0ff),
> diff --git a/include/linux/usb/rndis_host.h b/include/linux/usb/rndis_host.h
> index 809bccd08455..cc42db51bbba 100644
> --- a/include/linux/usb/rndis_host.h
> +++ b/include/linux/usb/rndis_host.h
> @@ -197,6 +197,7 @@ struct rndis_keepalive_c { /* IN (optionally OUT) */
>
> /* Flags for driver_info::data */
> #define RNDIS_DRIVER_DATA_POLL_STATUS 1 /* poll status before control */
> +#define RNDIS_DRIVER_DATA_DST_MAC_FIXUP 2 /* device ignores configured MAC address */
>
> extern void rndis_status(struct usbnet *dev, struct urb *urb);
> extern int
--
Pozdrawiam/Kind regards,
Lech Perczak
Powered by blists - more mailing lists